Full Disclosure mailing list archives
Re: rpc/dcom -- de ja vu?
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sun, 3 Aug 2003 01:21:54 -0700
----- Original Message ----- From: "Shanphen Dawa" <list () hardlined com> To: <full-disclosure () lists netsys com> Sent: Sunday, August 03, 2003 1:29 AM Subject: Re: [Full-disclosure] rpc/dcom -- de ja vu?
.bat files!! must be dat hax0r morning_w00d
i almost would think so to, with tftp32.exe at that yet! but i hate radmin and ddos mirc crap, so its not me... reminds me of gg.bat tho, that was of Brazillian decent if i recall. and its not the sdbot that was "proc32.exe" it looks quite amaturish at best, not even renaming combining / compressing files, etc.. to avoid detection. using dcom32.exe with the cygwin1.dll as a remote autohaker is very sloppy as well, easy way to catch would be to signature the binary of dcom, as i hope most av products catch radmin. ( i dont have av in the house,( been off the stuff for a while now)) but i do believe many "commercial" and other remote tools are not flagged by av products because of thier "commerciality" thus they become the base for sloppy remote / rootkit / autohacking crap that you see here. morning_wood - the .bat n xss King, yea baby 8-)
tftpd32.exe < trivial ftp daemon rpc.exe < ? r_server.exe < radmin server raddrv.dll < include dll for radmin AdmDll.dll < include dll for radmin rad.bat < 1337 h4x0r b47ch file rpc.bat < another 1337 h4x0r b47ch file cygwin1.dll < duh DCOM32.exe < exploit NC.exe < netcat I first saw this on my friend's computer ... I assumed it was justa guy
with some spare time screwing around ... however, I have observed this on one of my client's computers as well.
-- Justin
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- rpc/dcom -- de ja vu? Justin Shin (Aug 02)
- Re: rpc/dcom -- de ja vu? Shanphen Dawa (Aug 03)
- Re: rpc/dcom -- de ja vu? morning_wood (Aug 03)
- Re: rpc/dcom -- de ja vu? Shanphen Dawa (Aug 03)